I wish to perceive one of the best practices relating to nonce validation in REST APIs.
I see lots of people speaking about wp_rest nonce for REST requests. However upon wanting on WordPress core code, I noticed that wp_rest is only a nonce to validate a logged in person standing, if it is not current, it simply runs the request as visitor.
That mentioned, ought to I submit two nonces upon sending a POST request to a REST API? One for authentication wp_rest and one other for the motion foo_action?
If that’s the case, how ought to I ship wp_rest and foo_action nonce in JavaScript, and, in PHP, what is the appropriate place to validate these nonces? (I imply validate_callback for a arg? permission_callback?)